git: e27e9b3ac329 - stable/13 - pseudofs: Fix a potential out-of-bounds access in pfs_lookup()
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 07 Jul 2023 18:52:20 UTC
The branch stable/13 has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=e27e9b3ac329b8d01c0800de32c735b2363c8862
commit e27e9b3ac329b8d01c0800de32c735b2363c8862
Author: Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2023-06-23 13:54:39 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2023-07-07 18:46:08 +0000
pseudofs: Fix a potential out-of-bounds access in pfs_lookup()
pseudofs nodes store their name in a flexible array member, so the node
allocation is sized using the length of the name, including a nul
terminator. pfs_lookup() scans a directory of nodes, comparing names to
find a match. The comparison was incorrect and assumed that all node
names were at least as long as the name being looked up, which of course
isn't true.
I believe the bug is mostly harmless since it cannot result in false
positive or negative matches from the lookup, but it triggers a KASAN
check.
Reported by: pho
Reviewed by: kib, Olivier Certner <olce.freebsd@certner.fr>
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D40692
(cherry picked from commit fc915f1be145a52c53f6f1c37525043216e32bb8)
---
sys/fs/pseudofs/pseudofs_vnops.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sys/fs/pseudofs/pseudofs_vnops.c b/sys/fs/pseudofs/pseudofs_vnops.c
index e0c795ed2a25..5eccc7ac4b43 100644
--- a/sys/fs/pseudofs/pseudofs_vnops.c
+++ b/sys/fs/pseudofs/pseudofs_vnops.c
@@ -537,8 +537,8 @@ pfs_lookup(struct vop_cachedlookup_args *va)
for (pn = pd->pn_nodes; pn != NULL; pn = pn->pn_next)
if (pn->pn_type == pfstype_procdir)
pdn = pn;
- else if (pn->pn_name[namelen] == '\0' &&
- bcmp(pname, pn->pn_name, namelen) == 0) {
+ else if (strncmp(pname, pn->pn_name, namelen) == 0 &&
+ pn->pn_name[namelen] == '\0') {
pfs_unlock(pd);
goto got_pnode;
}